Mobile app security grabs feds' attention

Recognizing the increased use of mobile apps at businesses, the National Institute of Standards and Technology (NIST), a U.S. government agency, has come forward with recommendations on vetting security of these applications with steps ranging from risk management to testing.

In the January report, NIST notes how mobile apps can provide "unprecedented" connectivity between employees, customers, and vendors. The apps also offer unrestricted mobility, as well as improved functionality and real-time information sharing.

At the same time, NIST points out concerns. "Despite the benefits of mobile apps, however, the use of apps can potentially lead to serious security issues. This is so because, like traditional enterprise applications, apps may contain software vulnerabilities that are susceptible to attack," the report says. "Such vulnerabilities may be exploited by an attacker to gain unauthorized access to an organization's information technology resources or the user's personal data."

NIST advises development of security requirements on issues such as securing of data and acceptable levels of risk. Specific recommendations are offered for the planning, app testing, and app approval/rejection processes. For planning, key recommendations include:

Performing a risk analysis to understand the potential security impact of mobile apps on computing, networking and data resources

Documenting mobile device hardware and operating system security controls and identifying which security and privacy requirements can be addressed by the device itself

Documenting mobile enterprise security technologies, such as mobile device management, and identifying security and privacy requirements that can be addressed by these technologies

Reviewing the organization's mobile security architecture

Developing application security requirements by noting general and context-sensitive requirements

Procuring an adequate budget for vetting of applications

In the testing realm, NIST advises:

Identifying general app security requirements

Selection of testing tools and methodologies for determining the satisfaction or violation of general app security requirements

Monitoring public databases, mailing lists, and other publicly available security vulnerability reporting repositories

Training auditors on security requirements and interpretation of analyzer reports and risk assessments

The report also covers Android and iOS vulnerability types, as well as testing approaches and understanding the limitations of vetting. NIST touches on traditional vs. mobile security issues too. "Mobile devices provide access to potentially millions of apps for a user to choose from. This trend challenges the traditional mechanisms of enterprise IT security software where software exists within a tightly controlled environment and is uniform throughout the organization."

Copyright 2016 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.